hbase-client-1.1.13.jar: 27 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - hbase-client-1.1.13.jar

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (hbase-client version)	Remediation Possible**
CVE-2022-26612	Critical	9.8	hadoop-common-2.7.3.jar	Transitive	N/A*	❌
CVE-2022-25168	Critical	9.8	hadoop-common-2.7.3.jar	Transitive	1.2.0	✅
CVE-2019-20445	Critical	9.1	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2019-20444	Critical	9.1	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2018-8029	High	8.8	hadoop-common-2.7.3.jar	Transitive	1.2.0	✅
CVE-2017-3166	High	7.8	hadoop-mapreduce-client-core-2.7.3.jar	Transitive	1.2.0	✅
CVE-2021-37137	High	7.5	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2021-37136	High	7.5	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2020-7238	High	7.5	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2019-16869	High	7.5	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2016-4970	High	7.5	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2015-2156	High	7.5	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
WS-2020-0408	High	7.4	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
WS-2016-7071	High	7.1	hadoop-common-2.7.3.jar	Transitive	1.2.0	✅
WS-2019-0379	Medium	6.5	commons-codec-1.9.jar	Transitive	1.2.0	✅
CVE-2023-34462	Medium	6.5	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2021-43797	Medium	6.5	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2017-15713	Medium	6.5	hadoop-common-2.7.3.jar	Transitive	1.2.0	✅
CVE-2018-8009	Medium	6.3	hadoop-common-2.7.3.jar	Transitive	1.2.0	✅
CVE-2021-21290	Medium	6.2	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2021-21409	Medium	5.9	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2021-21295	Medium	5.9	netty-all-4.0.23.Final.jar	Transitive	1.2.0	✅
CVE-2018-10237	Medium	5.9	guava-12.0.1.jar	Transitive	1.2.0	✅
CVE-2016-5725	Medium	5.9	jsch-0.1.42.jar	Transitive	1.2.0	✅
CVE-2023-2976	Medium	5.5	guava-12.0.1.jar	Transitive	1.2.0	✅
CVE-2022-24823	Medium	5.5	netty-all-4.0.23.Final.jar	Transitive	N/A*	❌
CVE-2020-8908	Low	3.3	guava-12.0.1.jar	Transitive	1.2.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-26612

### Vulnerable Library - hadoop-common-2.7.3.jar

Apache Hadoop Common

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - hbase-common-1.1.13.jar - :x: **hadoop-common-2.7.3.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3

Publish Date: 2022-04-07

URL: CVE-2022-26612

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-26612

Release Date: 2022-04-07

Fix Resolution: org.apache.hadoop:hadoop-common:3.2.3

CVE-2022-25168

### Vulnerable Library - hadoop-common-2.7.3.jar

Apache Hadoop Common

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - hbase-common-1.1.13.jar - :x: **hadoop-common-2.7.3.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).

Publish Date: 2022-08-04

URL: CVE-2022-25168

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130

Release Date: 2022-08-04

Fix Resolution (org.apache.hadoop:hadoop-common): 2.10.2

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2019-20445

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

Publish Date: 2020-01-29

URL: CVE-2019-20445

### CVSS 3 Score Details (9.1)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445

Release Date: 2020-01-29

Fix Resolution (io.netty:netty-all): 4.1.44.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2019-20444

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

Publish Date: 2020-01-29

URL: CVE-2019-20444

### CVSS 3 Score Details (9.1)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444

Release Date: 2020-01-29

Fix Resolution (io.netty:netty-all): 4.1.44.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2018-8029

### Vulnerable Library - hadoop-common-2.7.3.jar

Apache Hadoop Common

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - hbase-common-1.1.13.jar - :x: **hadoop-common-2.7.3.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

Publish Date: 2019-05-30

URL: CVE-2018-8029

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029

Release Date: 2019-05-30

Fix Resolution (org.apache.hadoop:hadoop-common): 2.8.5

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2017-3166

### Vulnerable Library - hadoop-mapreduce-client-core-2.7.3.jar

Apache Hadoop Project POM

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - hbase-common-1.1.13.jar - :x: **hadoop-mapreduce-client-core-2.7.3.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.

Publish Date: 2017-11-13

URL: CVE-2017-3166

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166

Release Date: 2017-11-08

Fix Resolution (org.apache.hadoop:hadoop-mapreduce-client-core): 2.7.4

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-37137

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Publish Date: 2021-10-19

URL: CVE-2021-37137

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-9vjp-v76f-g363

Release Date: 2021-10-19

Fix Resolution (io.netty:netty-all): 4.1.68.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-37136

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Publish Date: 2021-10-19

URL: CVE-2021-37136

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv

Release Date: 2021-10-19

Fix Resolution (io.netty:netty-all): 4.1.68.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2020-7238

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

Publish Date: 2020-01-27

URL: CVE-2020-7238

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-01-27

Fix Resolution (io.netty:netty-all): 4.1.44.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2019-16869

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

Publish Date: 2019-09-26

URL: CVE-2019-16869

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869

Release Date: 2019-09-26

Fix Resolution (io.netty:netty-all): 4.1.42.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2016-4970

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).

Publish Date: 2017-04-13

URL: CVE-2016-4970

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4970

Release Date: 2017-04-13

Fix Resolution (io.netty:netty-all): 4.0.37.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2015-2156

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Publish Date: 2017-10-18

URL: CVE-2015-2156

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156

Release Date: 2017-10-18

Fix Resolution (io.netty:netty-all): 4.0.28.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2020-0408

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.

Publish Date: 2020-06-22

URL: WS-2020-0408

### CVSS 3 Score Details (7.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408

Release Date: 2020-06-22

Fix Resolution (io.netty:netty-all): 4.1.69.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2016-7071

### Vulnerable Library - hadoop-common-2.7.3.jar

Apache Hadoop Common

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - hbase-common-1.1.13.jar - :x: **hadoop-common-2.7.3.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache Hadoop versions 2.7.2 to 2.7.7 are vulnerable to Cross-Site Request Forgery that targets HTTP requests to “NameNode” and “DataNode”.

Publish Date: 2016-02-18

URL: WS-2016-7071

### CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-02-18

Fix Resolution (org.apache.hadoop:hadoop-common): 2.8.0

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2019-0379

### Vulnerable Library - commons-codec-1.9.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://www.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml,/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml,/nifi-nar-bundles/nifi-email-bundle/nifi-email-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - hbase-common-1.1.13.jar - :x: **commons-codec-1.9.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution (commons-codec:commons-codec): 1.13

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2023-34462

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

Publish Date: 2023-06-22

URL: CVE-2023-34462

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-6mjq-h674-j845

Release Date: 2023-06-22

Fix Resolution (io.netty:netty-all): 4.1.94.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-43797

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. Mend Note: After conducting further research, Mend has determined that all versions of netty up to version 4.1.71.Final are vulnerable to CVE-2021-43797.

Publish Date: 2021-12-09

URL: CVE-2021-43797

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: CVE-2021-43797

Release Date: 2021-12-09

Fix Resolution (io.netty:netty-all): 4.1.71.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2017-15713

### Vulnerable Library - hadoop-common-2.7.3.jar

Apache Hadoop Common

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - hbase-common-1.1.13.jar - :x: **hadoop-common-2.7.3.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.

Publish Date: 2018-01-19

URL: CVE-2017-15713

### CVSS 3 Score Details (6.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91@%3Cgeneral.hadoop.apache.org%3E

Release Date: 2018-01-19

Fix Resolution (org.apache.hadoop:hadoop-common): 2.8.3

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2018-8009

### Vulnerable Library - hadoop-common-2.7.3.jar

Apache Hadoop Common

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - hbase-common-1.1.13.jar - :x: **hadoop-common-2.7.3.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.

Publish Date: 2018-11-13

URL: CVE-2018-8009

### CVSS 3 Score Details (6.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1593018

Release Date: 2018-11-13

Fix Resolution (org.apache.hadoop:hadoop-common): 2.7.4

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21290

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Publish Date: 2021-02-08

URL: CVE-2021-21290

### CVSS 3 Score Details (6.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2

Release Date: 2021-02-08

Fix Resolution (io.netty:netty-all): 4.1.59.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21409

### Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml

Dependency Hierarchy: - hbase-client-1.1.13.jar (Root Library) - :x: **netty-all-4.0.23.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Publish Date: 2021-03-30

URL: CVE-2021-21409

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32

Release Date: 2021-03-30

Fix Resolution (io.netty:netty-all): 4.1.61.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-client): 1.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

snowdensb / nifi

hbase-client-1.1.13.jar: 27 vulnerabilities (highest severity is: 9.8) - autoclosed #618

Vulnerabilities

Details